Microsoft Simplifies Office 365 Policies for Volume Licensing Users

The OST document took effect on July 1 and lays down the terms for using Office 365 product offerings, including Office Online, Exchange Online, SharePoint Online, Lync Online, Windows Intune and other services for Microsoft's volume licensing customers. It also describes privacy terms, license transfer restrictions and data retention terms, along with the core features of the services that Microsoft pledges to support throughout the subscription term.

Microsoft claims that the new OST document, which gets updated on a quarterly basis, has simplified the terminology compared with its predecessor and has eliminated redundancies. In addition, Microsoft is pledging that it offers the "best terms for privacy and security across all online services," according to a blog post.

In particular, Microsoft has applied the European Union's Model Clauses by default for all of its volume licensing Online Services customers, even if the customer is located outside of European Union's jurisdiction. Microsoft had promised to extend that legal privacy framework to all of its Online Services customers back in April, which is when Microsoft received an endorsement of its privacy protections from the European Union's Data Protection Authorities.

Online Services Commitment
Most importantly for organizations, Microsoft's OST document promises to apply its terms for the duration of the subscription.

"Microsoft now commits to the terms of this OST for the duration of the Customer's subscription for each Online Service," the OST document states (p. 3).

Enterprise Agreements associated with Microsoft's volume licensing may last about three years, so that's a relevant change. The point is underscored in recent licensing research published by Directions on Microsoft, an independent consultancy based in Kirkland, Wash. The Directions on Microsoft document, "Online Services Licensing Documentation Redesigned" (subscription required), explains that Microsoft's previous "Online Services Use Rights" document just established terms for online services for up to one year at most.

Privacy and Security
All organizations using Microsoft's Online Services are automatically covered by the European Union's Model Clauses unless they opt out. The OST document states that "Microsoft will...remain certified under the EU and Swiss Safe Harbor programs, provided that they are maintained by the United States government" (p. 10).

It's still a bit ambiguous, though. On page 7, the OST document states that Microsoft "will not disclose Customer Data to law enforcement unless required by law." That latter circumstance appears to subject of Microsoft's customers to the legal processes that exist in the United States, which can be nontransparent. For instance, the FBI's "national security letters" may request disclosure of information from a service provider while also forbidding the service provider from notifying the targeted organization about that request. Microsoft's OST document pledges to notify organizations of law enforcement requests, unless it's legally constrained from doing so.

Another ambiguity concerns data location requirements. Organizations operating within the European Union may have legal requirements for local storage of data. On page 8, Microsoft states that customer data "may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its affiliates or subcontractors maintain facilities." There's also language in the OST document, though, about organizations being able to specify the geographic area for storing data at rest for some Online Services (p. 9).

Michael Cherry, an analyst with Directions on Microsoft, pointed out in a phone conversation that the OST document only covers Microsoft's enterprise-level services. Consumer-oriented services that may get used in organizations don't have the same privacy protections. For instance, Microsoft account, which is often required to use various Microsoft services, isn't covered under the OST document's privacy terms. Another service not covered that might get used in organizations is Outlook.com. Cherry explains those nuances in two recent Directions on Microsoft publications, "Enterprise Cloud Agreements Comply with EU Privacy Rules" and "Updated Services and Privacy Agreements Affect Enterprises" (subscription required).

Microsoft's OST document offers another case in point. The Microsoft Social Listening feature in Microsoft Dynamics Online collects Twitter, Facebook and YouTube content. The document claims that "Social Content is not Customer Data" and so Microsoft reserves the right to store that information.

Core Features
The OST document spells out Microsoft's commitment to maintaining "Core Features" with some of its services. However, it's a spare list. For instance, Lync Online (p. 17) only lists instant messaging, presence and online meetings. There's nothing about maintaining enterprise voice. Similarly, with SharePoint Online (p. 19), Microsoft is only committed to supporting collaboration sites and storage features. Such lack of specificity could give some organizations pause.

"Regarding core features, yes the lack of specificity means it is possible (though you could argue how probable) that future technical changes could cause the service to no longer meet a customer's needs," commented Rob Horwitz, co-founder of Directions on Microsoft, in an e-mail. "And yes, with on-premises software, established product life-cycle policies mean that the time period between a major change and the point when use of the existing deployed software becomes untenable (for support or other reasons) is usually at least several years, which is more than adequate for customers to plan for and execute a transition. As online services policies now stand, it is possible that forthcoming disruptive changes don't leave an online services customer with sufficient time to execute an orderly transition before the subscription lapses."

Microsoft does offer a specific promise with regard to features supported through Microsoft Azure Services. It promises (p. 14) to give customers "12 months' notice before removing any material feature or functionality or discontinuing a service," unless compelled to do so by legal considerations or security or performance considerations. However, that stipulation doesn't apply to previews.

Things are just different with Microsoft's Online Services licensing compared with the more traditional perpetual licensing, according to Wes Miller, an analyst at Direction on Microsoft.

"In terms of support, Office 365 subscribers should remember that they are subscribing to a service, rather than buying a perpetual license," Miller stated in an e-mail.

The new OST document likely represents a step forward. Horwitz described it as "easier to navigate than its predecessor," for instance.

"The reorganization means customers and partners can find information faster, and the document may be less intimidating to first-time users," he said. "However, the OST largely preserves existing online services licensing rules, and thus understanding licensing requirements, options and compliance remains as challenging as before."